Vigil@nce: Linux kernel, denial of service irda_bind
September 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can use irda_bind() in order to stop the kernel.
– Severity: 2/4
– Creation date: 01/09/2010
DESCRIPTION OF THE VULNERABILITY
The irda_bind() function of the file net/irda/af_irda.c associates
an AF_IRDA socket to a transport access point.
When the irda_bind() function is called, the irda_open_tsap()
function of the file net/irda/af_irda.c is called to open an
access point. However, when irda_open_tsap() fails, irda_bind()
incorrectly frees allocated resources. When the socket is later
destroyed, a NULL pointer is dereferenced stopping the kernel.
An attacker can therefore use irda_bind() numerous times in order
to stop the kernel.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-denial-of-service-irda-bind-9893